Group items tagged

Nginx is one of the most popular web servers in the world. It can successfully handle high loads with many concurrent client connections, and can easily function as a web server, a mail server, or a reverse proxy server.

The main server block directives that Nginx is concerned with during this process are the listen directive, and the server_name directive.

The listen directive typically defines which IP address and port that the server block will respond to.

Nginx translates all “incomplete” listen directives by substituting missing values with their default values so that each block can be evaluated by its IP address and port.

In any case, the port must be matched exactly.

If there are multiple server blocks with the same level of specificity matching, Nginx then begins to evaluate the server_name directive of each server block.

Nginx checks the request’s “Host” header. This value holds the domain or IP address that the client was actually trying to reach.

Nginx will first try to find a server block with a server_name that matches the value in the “Host” header of the request exactly.

If no exact match is found, Nginx will then try to find a server block with a server_name that matches using a leading wildcard (indicated by a * at the beginning of the name in the config).

If no match is found using a leading wildcard, Nginx then looks for a server block with a server_name that matches using a trailing wildcard (indicated by a server name ending with a * in the config)

If no match is found using a trailing wildcard, Nginx then evaluates server blocks that define the server_name using regular expressions (indicated by a ~ before the name).

If no regular expression match is found, Nginx then selects the default server block for that IP address and port.

If no modifiers are present, the location is interpreted as a prefix match.

=: If an equal sign is used, this block will be considered a match if the request URI exactly matches the location given.

~: If a tilde modifier is present, this location will be interpreted as a case-sensitive regular expression match.

~*: If a tilde and asterisk modifier is used, the location block will be interpreted as a case-insensitive regular expression match.

^~: If a carat and tilde modifier is present, and if this block is selected as the best non-regular expression match, regular expression matching will not take place.

Keep in mind that if this block is selected and the request is fulfilled using an index page, an internal redirect will take place to another location that will be the actual handler of the request

Keeping in mind the types of location declarations we described above, Nginx evaluates the possible location contexts by comparing the request URI to each of the locations.

Nginx begins by checking all prefix-based location matches (all location types not involving a regular expression).

First, Nginx looks for an exact match.

If no exact (with the = modifier) location block matches are found, Nginx then moves on to evaluating non-exact prefixes.

After the longest matching prefix location is determined and stored, Nginx moves on to evaluating the regular expression locations (both case sensitive and insensitive).

by default, Nginx will serve regular expression matches in preference to prefix matches.

regular expression matches within the longest prefix match will “jump the line” when Nginx evaluates regex locations.

The exceptions to the “only one location block” rule may have implications on how the request is actually served and may not align with the expectations you had when designing your location blocks.

The index directive always leads to an internal redirect if it is used to handle the request.

In the case above, if you really need the execution to stay in the first block, you will have to come up with a different method of satisfying the request to the directory.

one way of preventing an index from switching contexts, but it’s probably not useful for most configurations

the try_files directive. This directive tells Nginx to check for the existence of a named set of files or directories.

the rewrite directive. When using the last parameter with the rewrite directive, or when using no parameter at all, Nginx will search for a new matching location based on the results of the rewrite.

The error_page directive can lead to an internal redirect similar to that created by try_files.

when certain status codes are encountered.

ACLs allows flexible network traffic forwarding based on a variety of factors like pattern-matching and the number of connections to a backend

A backend is a set of servers that receives forwarded requests

adding more servers to your backend will increase your potential load capacity by spreading the load over multiple servers

mode http specifies that layer 7 proxying will be used

specifies the load balancing algorithm

health checks

A frontend defines how requests should be forwarded to backends

use_backend rules, which define which backends to use depending on which ACL conditions are matched, and/or a default_backend rule that handles every other case

A frontend can be configured to various types of network traffic

Load balancing this way will forward user traffic based on IP range and port

Generally, all of the servers in the web-backend should be serving identical content--otherwise the user might receive inconsistent content.

Using layer 7 allows the load balancer to forward requests to different backend servers based on the content of the user's request.

allows you to run multiple web application servers under the same domain and port

acl url_blog path_beg /blog matches a request if the path of the user's request begins with /blog.

Round Robin selects servers in turns

Selects the server with the least number of connections--it is recommended for longer sessions

This selects which server to use based on a hash of the source IP

ensure that a user will connect to the same server

require that a user continues to connect to the same backend server. This persistence is achieved through sticky sessions, using the appsession parameter in the backend that requires it.

HAProxy uses health checks to determine if a backend server is available to process requests.

The default health check is to try to establish a TCP connection to the server

If a server fails a health check, and therefore is unable to serve requests, it is automatically disabled in the backend

However, your load balancer is a single point of failure in these setups; if it goes down or gets overwhelmed with requests, it can cause high latency or downtime for your service.

A high availability (HA) setup is an infrastructure without a single point of failure

a static IP address that can be remapped from one server to another.

If that load balancer fails, your failover mechanism will detect it and automatically reassign the IP address to one of the passive servers.

contexts can be layered within one another

The children contexts can override these values at will

Nginx will error out on reading a configuration file with directives that are declared in the wrong context.

The most general context is the "main" or "global" context

Any directive that exist entirely outside of these blocks is said to inhabit the "main" context

The main context represents the broadest environment for Nginx configuration.

The "events" context is contained within the "main" context. It is used to set global options that affect how Nginx handles connections at a general level.

Nginx uses an event-based connection processing model, so the directives defined within this context determine how worker processes should handle connections.

the connection processing method is automatically selected based on the most efficient choice that the platform has available

a worker will only take a single connection at a time

When configuring Nginx as a web server or reverse proxy, the "http" context will hold the majority of the configuration.

fine-tune the TCP keep alive settings (keepalive_disable, keepalive_requests, and keepalive_timeout)

multiple declarations

each instance defines a specific virtual server to handle client requests

Each client request will be handled according to the configuration defined in a single server context, so Nginx must decide which server context is most appropriate based on details of the request.

listen: The ip address / port combination that this server block is designed to respond to.

server_name: This directive is the other component used to select a server block for processing.

configure files to try to respond to requests (try_files)

issue redirects and rewrites (return and rewrite)

set arbitrary variables (set)

Location contexts share many relational qualities with server contexts

multiple location contexts can be defined, each location is used to handle a certain type of client request, and each location is selected by virtue of matching the location definition against the client request through a selection algorithm

Location blocks live within server contexts and, unlike server blocks, can be nested inside one another.

The request URI is the portion of the request that comes after the domain name or IP address/port combination.

New directives at this level allow you to reach locations outside of the document root (alias), mark the location as only internally accessible (internal), and proxy to other servers or locations (using http, fastcgi, scgi, and uwsgi proxying).

These can then be used to do A/B testing by providing different content to different hosts.

configures Perl handlers for the location they appear in

set the value of a variable depending on the value of another variable

used to map MIME types to the file extensions that should be associated with them.

this context defines a named pool of servers that Nginx can then proxy requests to

The upstream context can then be referenced by name within server or location blocks to pass requests of a certain type to the pool of servers that have been defined.

function as a high performance mail proxy server

The mail context is defined within the "main" or "global" context (outside of the http context).

Nginx has the ability to redirect authentication requests to an external authentication server

the if directive in Nginx will execute the instructions contained if a given test returns "true".

The limit_except context is used to restrict the use of certain HTTP methods within a location context.

The result of the above example is that any client can use the GET and HEAD verbs, but only clients coming from the 192.168.1.1/24 subnet are allowed to use other methods.

Many directives are valid in more than one context

Declaring at higher levels provides you with a sane default

Nginx already engages in a well-documented selection algorithm for things like selecting server blocks and location blocks.

incorrect requests can get by with a redirect rather than a rewrite, which should execute with lower overhead.

Nginx is built to handle many concurrent connections at the same time.

provides you with flexibility in easily adding backend servers or taking them down as needed for maintenance

Proxying in Nginx is accomplished by manipulating a request aimed at the Nginx server and passing it to other servers for the actual processing

When a request matches a location with a proxy_pass directive inside, the request is forwarded to the URL given by the directive

The request coming from Nginx on behalf of a client will look different than a request coming directly from a client

Nginx gets rid of any empty headers

Nginx, by default, will consider any header that contains underscores as invalid. It will remove these from the proxied request

The "Host" header is re-written to the value defined by the $proxy_host variable.

The upstream should not expect this connection to be persistent

Headers with empty values are completely removed from the passed request.

by default, this will be set to the value of $proxy_host, a variable that will contain the domain name or IP address and port taken directly from the proxy_pass definition

This is selected by default as it is the only address Nginx can be sure the upstream server responds to

$http_host: Sets the "Host" header to the "Host" header from the client request.

preference to: the host name from the request line itself

set the "Host" header to the $host variable. It is the most flexible and will usually provide the proxied servers with a "Host" header filled in as accurately as possible

This variable takes the value of the original X-Forwarded-For header retrieved from the client and adds the Nginx server's IP address to the end.

Once defined, this name will be available for use within proxy passes as if it were a regular domain name

By default, this is just a simple round-robin selection process (each request will be routed to a different host in turn)

Specifies that new connections should always be given to the backend that has the least number of active connections.

distributes requests to different servers based on the client's IP address.

mainly used with memcached proxying

As for the hash method, you must provide the key to hash against

Server Weight

Nginx's buffering and caching capabilities

Without buffers, data is sent from the proxied server and immediately begins to be transmitted to the client.

With buffers, the Nginx proxy will temporarily store the backend's response and then feed this data to the client

Nginx defaults to a buffering design

can be set in the http, server, or location contexts.

the sizing directives are configured per request, so increasing them beyond your need can affect your performance

When buffering is "off" only the buffer defined by the proxy_buffer_size directive will be used

A high availability (HA) setup is an infrastructure without a single point of failure, and your load balancers are a part of this configuration.

multiple load balancers (one active and one or more passive) behind a static IP address that can be remapped from one server to another.

Nginx also provides a way to cache content from backend servers

proxy_cache backcache;

The proxy_cache_bypass directive is set to the $http_cache_control variable. This will contain an indicator as to whether the client is explicitly requesting a fresh, non-cached version of the resource

For private content, you should set the Cache-Control header to "no-cache", "no-store", or "private" depending on the nature of the data

Name servers host a domain’s DNS information in a text file called the zone file

Start of Authority (SOA) records

You’ll want to specify at least two name servers. That way, if one of them is down, the next one can continue to serve your DNS information.

Every domain’s zone file contains the admin’s email address, the name servers, and the DNS records.

a zone file, which lists domains and their corresponding IP addresses (and a few other things)

TLD nameserver

ISPs cache a lot of DNS information after they’ve looked it up the first time

Usually caching is a good thing, but it can be a problem if you’ve recently made a change to your DNS information

An A record matches up a domain (or subdomain) to an IP address

point different subdomains to different IP addresses

An AAAA record is just like an A record, but for IPv6 IP addresses.

An AXFR record is a type of DNS record used for DNS replication

used on a slave DNS server to replicate the zone file from a master DNS server

DNS Certification Authority Authorization uses DNS to allow the holder of a domain to specify which certificate authorities are allowed to issue certificates for that domain.

A CNAME record or Canonical Name record matches up a domain (or subdomain) to a different domain.

You should not use a CNAME record for a domain that gets email, because some mail servers handle mail oddly for domains with CNAME records

the target domain for a CNAME record should have a normal A-record resolution

a CNAME record does not function the same way as a URL redirect

A DKIM record or domain keys identified mail record displays the public key for authenticating messages that have been signed with the DKIM protocol

An MX record or mail exchange record sets the mail delivery destination for a domain (or subdomain).

Ideally, an MX record should point to a domain that is also the hostname for its server.

Lower numbers have a higher priority

NS records or name server records set the nameservers for a domain (or subdomain).

You can also set up different nameservers for any of your subdomains.

The order of NS records does not matter; DNS requests are sent randomly to the different servers, and if one host fails to respond, another one will be queried.

A PTR record or pointer record matches up an IP address to a domain (or subdomain), allowing reverse DNS queries to function.

PTR records are usually set with your hosting provider. They are not part of your domain’s zone file.

An SOA record or Start of Authority record labels a zone file with the name of the host where it was originally created.

The administrative email address is written with a period (.) instead of an at symbol (<@>).

The single nameserver mentioned in the SOA record is considered the primary master for the purposes of Dynamic DNS and is the server where zone file changes get made before they are propagated to all other nameservers.

An SPF record or Sender Policy Framework record lists the designated mail servers for a domain (or subdomain).

An SPF record for your domain tells other receiving mail servers which outgoing server(s) are valid sources of email, so they can reject spoofed email from your domain that has originated from unauthorized servers.

Your SPF record will have a domain or subdomain, type (which is TXT, or SPF if your name server supports it), and text (which starts with “v=spf1” and contains the SPF record settings).

An SRV record or service record matches up a specific service that runs on your domain (or subdomain) to a target domain.

A TXT record or text record provides information about the domain in question to other resources on the Internet.

One common use of the TXT record is to create an SPF record on nameservers that don’t natively support SPF.

Name servers host a domain’s DNS information in a text file called a zone file.

Start of Authority (SOA) records

specifying DNS records, which match domain names to IP addresses.

Every domain’s zone file contains the domain administrator’s email address, the name servers, and the DNS records.

Your ISP’s DNS resolver queries a root nameserver for the proper TLD nameserver. In other words, it asks the root nameserver, *Where can I find the nameserver for .com domains?*

In actuality, ISPs cache a lot of DNS information after they’ve looked it up the first time.

An A record points your domain or subdomain to your Linode’s IP address,

use an asterisk (*) as your subdomain

An AAAA record is just like an A record, but for IPv6 IP addresses.

An AXFR record is a type of DNS record used for DNS replication

DNS Certification Authority Authorization uses DNS to allow the holder of a domain to specify which certificate authorities are allowed to issue certificates for that domain.

A CNAME record or Canonical Name record matches a domain or subdomain to a different domain.

Some mail servers handle mail oddly for domains with CNAME records, so you should not use a CNAME record for a domain that gets email.

MX records cannot reference CNAME-defined hostnames.

A DKIM record or DomainKeys Identified Mail record displays the public key for authenticating messages that have been signed with the DKIM protocol

DKIM records are implemented as text records.

An MX record or mail exchanger record sets the mail delivery destination for a domain or subdomain.

An MX record should ideally point to a domain that is also the hostname for its server.

Priority allows you to designate a fallback server (or servers) for mail for a particular domain. Lower numbers have a higher priority.

NS records or name server records set the nameservers for a domain or subdomain.

You can also set up different nameservers for any of your subdomains

Primary nameservers get configured at your registrar and secondary subdomain nameservers get configured in the primary domain’s zone file.

A PTR record or pointer record matches up an IP address to a domain or subdomain, allowing reverse DNS queries to function.

opposite service an A record does

PTR records are usually set with your hosting provider. They are not part of your domain’s zone file.

An SOA record or Start of Authority record labels a zone file with the name of the host where it was originally created.

Minimum TTL: The minimum amount of time other servers should keep data cached from this zone file.

An SPF record or Sender Policy Framework record lists the designated mail servers for a domain or subdomain.

An SPF record for your domain tells other receiving mail servers which outgoing server(s) are valid sources of email so they can reject spoofed mail from your domain that has originated from unauthorized servers.

Make sure your SPF records are not too strict.

An SRV record or service record matches up a specific service that runs on your domain or subdomain to a target domain.

Service: The name of the service must be preceded by an underscore (_) and followed by a period (.)

Protocol: The name of the protocol must be proceeded by an underscore (_) and followed by a period (.)

Port: The TCP or UDP port on which the service runs.

Target: The target domain or subdomain. This domain must have an A or AAAA record that resolves to an IP address.

A TXT record or text record provides information about the domain in question to other resources on the internet.

Read-only (RO) transactions need no coordination within the group and thus commit immediately

any RW transaction the group needs to decide whether it commits or not, thus the commit operation is not a unilateral decision from the originating server

when a transaction is ready to commit at the originating server, the server atomically broadcasts the write values (rows changed) and the correspondent write set (unique identifiers of the rows that were updated). Then a global total order is established for that transaction.

The resolution procedure states that the transaction that was ordered first commits on all servers, whereas the transaction ordered second aborts, and thus is rolled back on the originating server and dropped by the other servers in the group. This is in fact a distributed first commit wins rule

Group Replication is a shared-nothing replication scheme where each server has its own entire copy of the data

MySQL Group Replication protocol

A chart is organized as a collection of files inside of a directory.

values.yaml # The default configuration values for this chart

charts/ # A directory containing any charts upon which this chart depends.

version: A SemVer 2 version (required)

apiVersion: The chart API version, always "v1" (required)

Every chart must have a version number. A version must follow the SemVer 2 standard.

When generating a package, the helm package command will use the version that it finds in the Chart.yaml as a token in the package name.

the appVersion field is not related to the version field. It is a way of specifying the version of the application.

appVersion: The version of the app that this contains (optional). This needn't be SemVer.

If the latest version of a chart in the repository is marked as deprecated, then the chart as a whole is considered to be deprecated.

deprecated: Whether this chart is deprecated (optional, boolean)

one chart may depend on any number of other charts.

the preferred method of declaring dependencies is by using a requirements.yaml file inside of your chart.

A requirements.yaml file is a simple file for listing your dependencies.

The repository field is the full URL to the chart repository.

helm dependency update and it will use your dependency file to download all the specified charts into your charts/ directory for you.

When helm dependency update retrieves charts, it will store them as chart archives in the charts/ directory.

All charts are loaded by default.

The condition field holds one or more YAML paths (delimited by commas). If this path exists in the top parent’s values and resolves to a boolean value, the chart will be enabled or disabled based on that boolean value.

The tags field is a YAML list of labels to associate with this chart.

all charts with tags can be enabled or disabled by specifying the tag and a boolean value.

The --set parameter can be used as usual to alter tag and condition values.

The first condition path that exists wins and subsequent ones for that chart are ignored.

The keys containing the values to be imported can be specified in the parent chart’s requirements.yaml file using a YAML list. Each item in the list is a key which is imported from the child chart’s exports field.

specifying the key data in our import list, Helm looks in the exports field of the child chart for data key and imports its contents.

To access values that are not contained in the exports key of the child chart’s values, you will need to specify the source key of the values to be imported (child) and the destination path in the parent chart’s values (parent).

To drop a dependency into your charts/ directory, use the helm fetch command

A dependency can be either a chart archive (foo-1.2.3.tgz) or an unpacked chart directory.

a single release is created with all the objects for the chart and its dependencies.

When Helm renders the charts, it will pass every file in that directory through the template engine.

Chart users may supply a YAML file that contains values. This can be provided on the command line with helm install.

Template files follow the standard conventions for writing Go templates

{{default "minio" .Values.storage}}

Values that are supplied via a values.yaml file (or via the --set flag) are accessible from the .Values object in a template.

Release.Name: The name of the release (not the chart)

Release.IsUpgrade: This is set to true if the current operation is an upgrade or rollback.

Chart: The contents of the Chart.yaml

Files: A map-like object containing all non-special files in the chart.

Files can be accessed using {{index .Files "file.name"}} or using the {{.Files.Get name}} or {{.Files.GetString name}} functions.

access the contents of the file as []byte using {{.Files.GetBytes}}

Any unknown Chart.yaml fields will be dropped

Chart.yaml cannot be used to pass arbitrarily structured data into the template.

A values file is formatted in YAML.

A chart may include a default values.yaml file

accessible inside of templates using the .Values object

Values files can declare values for the top-level chart, as well as for any of the charts that are included in that chart’s charts/ directory.

Charts at a higher level have access to all of the variables defined beneath.

lower level charts cannot access things in parent charts

Values are namespaced, but namespaces are pruned.

Helm supports special “global” value.

a way of sharing one top-level variable with all subcharts, which is useful for things like setting metadata properties like labels.

global variables of parent charts take precedence over the global variables from subcharts.

helm lint

A chart repository is an HTTP server that houses one or more packaged charts

Any HTTP server that can serve YAML files and tar files and can answer GET requests can be used as a repository server.

Helm does not provide tools for uploading charts to remote repository servers.

the only way to add a chart to $HELM_HOME/starters is to manually copy it there.

Helm provides a hook mechanism to allow chart developers to intervene at certain points in a release’s life cycle.

Hooks are declared as an annotation in the metadata section of a manifest

pre-install

post-install: Executes after all resources are loaded into Kubernetes

pre-delete

post-delete: Executes on a deletion request after all of the release’s resources have been deleted.

pre-upgrade

post-upgrade

pre-rollback

post-rollback: Executes on a rollback request after all resources have been modified.

crd-install

test-success: Executes when running helm test and expects the pod to return successfully (return code == 0).

test-failure: Executes when running helm test and expects the pod to fail (return code != 0).

Hooks allow you, the chart developer, an opportunity to perform operations at strategic points in a release lifecycle

Tiller then loads the hook with the lowest weight first (negative to positive)

Tiller returns the release name (and other data) to the client

If the resources is a Job kind, Tiller will wait until the job successfully runs to completion.

good practice to add a hook weight, and set it to 0 if weight is not important.

leave the hook resource alone.

To destroy such resources, you need to either write code to perform this operation in a pre-delete or post-delete hook or add "helm.sh/hook-delete-policy" annotation to the hook template file.

Hooks are just Kubernetes manifest files with special annotations in the metadata section

One resource can implement multiple hooks

no limit to the number of different resources that may implement a given hook.

Hook weights can be positive or negative numbers but must be represented as strings.

sort those hooks in ascending order.

Hook deletion policies

"before-hook-creation" specifies Tiller should delete the previous hook before the new hook is launched.

By default Tiller will wait for 60 seconds for a deleted hook to no longer exist in the API server before timing out.

Custom Resource Definitions (CRDs) are a special kind in Kubernetes.

The crd-install hook is executed very early during an installation, before the rest of the manifests are verified.

A common reason why the hook resource might already exist is that it was not deleted following use on a previous install/upgrade.

Helm uses Go templates for templating your resource files.

two special template functions: include and required

include function allows you to bring in another template, and then pass the results to other template functions.

The required function allows you to declare a particular values entry as required for template rendering.

Quote Strings, Don’t Quote Integers

when working with integers do not quote the values

env variables values which are expected to be string

to include a template, and then perform an operation on that template’s output, Helm has a special include function

The above includes a template called toYaml, passes it $value, and then passes the output of that template to the nindent function.

Go provides a way for setting template options to control behavior when a map is indexed with a key that’s not present in the map

The required function gives developers the ability to declare a value entry as required for template rendering.

The tpl function allows developers to evaluate strings as templates inside a template.

Rendering a external configuration file

(.Files.Get "conf/app.conf")

Image pull secrets are essentially a combination of registry, username, and password.

Automatically Roll Deployments When ConfigMaps or Secrets change

configmaps or secrets are injected as configuration files in containers

a restart may be required should those be updated with a subsequent helm upgrade

The sha256sum function can be used to ensure a deployment’s annotation section is updated if another file changes

helm upgrade --recreate-pods

"helm.sh/resource-policy": keep

resources that should not be deleted when Helm runs a helm delete

create some reusable parts in your chart

In the templates/ directory, any file that begins with an underscore(_) is not expected to output a Kubernetes manifest file.

The current best practice for composing a complex application from discrete parts is to create a top-level umbrella chart that exposes the global configurations, and then use the charts/ subdirectory to embed each of the components.

SAP’s Converged charts: These charts install SAP Converged Cloud a full OpenStack IaaS on Kubernetes. All of the charts are collected together in one GitHub repository, except for a few submodules.

Deis’s Workflow: This chart exposes the entire Deis PaaS system with one chart. But it’s different from the SAP chart in that this umbrella chart is built from each component, and each component is tracked in a different Git repository.

YAML is a superset of JSON

any valid JSON structure ought to be valid in YAML.

As a best practice, templates should follow a YAML-like syntax unless the JSON syntax substantially reduces the risk of a formatting issue.